Statutes, codes, and regulations
New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICESChapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.5 - Vulnerability management

N.Y. Comp. Codes R. & Regs. tit. 23 § 500.5

Download
PDF
Current through Register Vol. 46, No. 39, September 25, 2024
Section 500.5 - Vulnerability management

Each covered entity shall, in accordance with its risk assessment, develop and implement written policies and procedures for vulnerability management that are designed to assess and maintain the effectiveness of its cybersecurity program. These policies and procedures shall be designed to ensure that covered entities:

(a) conduct, at a minimum:
(1) penetration testing of their information systems from both inside and outside the information systems' boundaries by a qualified internal or external party at least annually; and
(2) automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes;
(b) are promptly informed of new security vulnerabilities by having a monitoring process in place; and
(c) timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity.

N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.5

Adopted, New York State Register March 1, 2017/Volume XXXIX, Issue 09, eff. 3/1/2017
Amended New York State Register November 1, 2023/Volume XLV, Issue 44, eff. 11/1/2023